Logo TheStaticTurtle


The very long story on how I setup LDAP authentication for my samba shares with ACLs on TrueNAS

Disclaimer: This is not a tutorial, just a lot of notes about how I setup SMB shares with LDAP auth on TrueNAS

So with my new NAS I thought it might be nice to do things properly and have a centralized user system for all the other apps that I have.

First thing that comes to mind is an AD there are a few issues with that:

Next I found FreeIPA which is pretty cool, and I probably could get it to work now but when I started last week I could not get it to work with the smb shares. This is one thing I might go back to and try again

Installing OpenLDAP

So next I went to town and installed OpenLDAP this was the easy part this tutorial pretty much explains it all https://computingforgeeks.com/install-and-configure-openldap-server-ubuntu/ . The main things are:

Yay, let's add SSL/TLS

So I don't know why it's need but somehow doesn't work without.

As I'm trying to set up a proper network, I didn't want to just generate certificates on the LDAP container and transfer them to machines on the network afterwards.

So I launched XCA and created a new DB, created a CA certificate/pkey combo and an TLS certificate/pkey for the LDAP server

I then put the CA certificate and LDAP TLS certificate under /etc/ssl/certs/ and the LDAP TLS private key under /etc/ssl/private/

Then followed this tutorial https://computingforgeeks.com/secure-ldap-server-with-ssl-tls-on-ubuntu/ skipping the part about generating the certificates (start at step 2) and using the proper paths.

I also added the certificates in **every **config file possible, added the ldaps:/// service in /etc/default/slapd

And it worked, yay

Adding LDAP to TrueNAS

Adding LDAP auth was really easy, just pop in the hostname, base and bind DNs (+ the password) and that was it

At this point, I had a test account on my LDAP server and was able to ssh to TrueNAS with this user

Adding LDAP to samba

That's the tricky part, as there is so little documentation / forum post that you might as well say that there is none

After many hours of searching, I found this note in the truenas documentation:

Adding the samba attributes

Again, doing the smbldap-tools is the tricky part. The Ubuntu tutorial is pretty good (https://guide.ubuntu-fr.org/server/samba-ldap.html) a few things were different tho:

The command smbldap-populate should work without any issues:

Then using an LDAP browser you should see the root and nobody users in the people OUs:
The most important part is the samba attributes, if they aren't there something is messed up

Creating a user

It's actually really easy, you just' can't do it remotely in order to populate the samba fields:

smbldap-useradd -a -d /mnt/main/home/my_user -N my_user -P -B 0 -s /bin/bash my_user

Logging in

Actually, using smbclient with a user in the LDAP does not work

Turns out it didn't even find the user
I thought that TrueNAS would automatically configure samba to use ldap what a naive mistake why the hell would something work when you activate it...

So after search for I while I figured out that you can either have local login or ldap login fine I guess but not ideal if the LDAP server fails.

To configure samba, I wrote this in the auxiliary parameters of the SMB service settings:

passdb backend = ldapsam:ldap://

ldap admin dn = cn=admin,dc=lan,dc=xxxxxx,dc=fr
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap passwd sync = yes
ldap suffix = dc=lan,dc=xxxxxx,dc=fr
ldap ssl = no
ldap user suffix = ou=people

idmap config * : range = 10000-39999
ldapsam:trusted = yes
idmap config * : backend = tdb

This translates to this full config

TrueNAS Samba ldap config . GitHub Gist: instantly share code, notes, and snippets.
TrueNAS Samba ldap config

TrueNAS Samba ldap config . GitHub Gist: instantly share code, notes, and snippets.

That was not the end tho because now using smbclient printed out this error:

After starting smbd manually once again, this was the actual error:

The primary group domain sid(S-1-5-21-1836219694-1107345289-1677364427-513) does not match the domain sid(S-1-5-21-3359593988-3909439102-1203953793) for david(S-1-5-21-3359593988-3909439102-1203953793-10004)

When I think about it, the domain SID is clearly wrong, and it's using the SID from the FLUFFY domain instead of the actual one, so I got the sid for it and modified every ldap entry (groups included) by replacing S-1-5-21-3359593988-3909439102-1203953793 (fluffy) to S-1-5-21-1836219694-1107345289-1677364427 (which is the value that worked for me).

Then as a good measure I also modified the SID= in the /etc/smbldap-tools/smbldap.conf file

Next came a lof of joy:

It actually worked and sure enough it mounted just fine

Groups and ACLs

So right now I have two shares, the home one and the media one (containing photos and videos, probably audio at some point)

To start, I created a few groups with smbldap-groupadd and reorganized them.

Then I edited all the ACLs on TrueNAS to look like this:


User: root
Group: Gringotts User

@group ALLOW Traverse
@owner ALLOW Full


User: root
Group: Gringotts User

@group ALLOW Read
@owner ALLOW Full


User: root
Group: Gringotts User

@owner ALLOW Full
"Gringotts Photo Read" ALLOW Read
"Gringotts Photo Write" ALLOW Full


User: root
Group: Gringotts User

@owner ALLOW Full
"Gringotts Video Read" ALLOW Read
"Gringotts Video Write" ALLOW Full

These ACLs only allow access to members of the "Gringotts User" group to the shares and granularly the Read/Write permissions for the video and photo dataset

**Note: **I did have to restart smbd on TrueNAS manually to update the permissions


I'm very happy on how it turned out, the LDAP is pretty easy to manage and sync-up pretty fast. There are a few things that could be better / will do next:


Main resources / websites used for this setup:

CommentsShortcut to: Comments

Want to chat about this article? Just post a message down here. Chat is powered by giscus and all discussions can be found here: TheStaticTurtle/blog-comments